Backtrack 5: Information Gathering: Network Analysis: DNS Analysis: dnsdict6
Awhile back purehate and myself started writing articles related to Backtrack in an attempt to write a single article about each application available within Backtrack 4. Things came up and we never accomplished that goal so here we go again with a second attempt to write a single article for every Backtrack application. If you have requests for any applications we will move them up in priority so the application you need more information on will have an article released sooner.
With that being said dnsdict6 is a CLI utility that was built to enumerate IPv6 sub domains for a specific domain name. Below I describe the command line switches available and provide examples so you can see what type of output dnsdict6 provides. All commands, examples, and command output has been issued via Backtrack 5 R2.
The dnsdict6 Help Output:
root@bt:~# dnsdict6 -h dnsdict6 v1.8 (c) 2011 by van Hauser / THC <firstname.lastname@example.org> www.thc.org Syntax: dnsdict6 [-d46] [-s|-m|-l|-x] [-t THREADS] [-D] domain [dictionary-file] Enumerates a domain for DNS entries, it uses a dictionary file if supplied or a built-in list otherwise. This tool is based on dnsmap by gnucitizen.org. Options: -4 also dump IPv4 addresses -t NO specify the number of threads to use (default: 8, max: 32). -D dump the selected built-in wordlist, no scanning. -d display IPv6 information on NS and MX DNS domain information. -[smlx] choose the dictionary size by -s(mall=50), -m(edium=796) (DEFAULT) -l(arge=1416), or -x(treme=3211)
As you can see above dnsdict6 is fairly basic and provides similar functionality as a bunch of other DNS sub domain enumerators. The differences include it is specifically geared towards IPv6, the output is clean, and its very easy to use. Below are some examples of the dnsdict6 command that will be followed by a brief description of what the switches accomplish.
Use dnsdict6 To Enumerate IPv6 Sub Domains:
root@bt:~# dnsdict6 afraid.org words Starting enumerating afraid.org. - creating 8 threads for 36 words... Estimated time to completion: 1 to 1 minute ipv6.afraid.org. => 2001:470:d19b::203 agent.afraid.org. => 2001:380:e0a:134::5 v6.afraid.org. => 2001:618:400::d4a0:81c2 Found 3 domain names and 3 unique ipv6 addresss for afraid.org.
So the above output is what dnsdict6 was built for which is to enumerate IPv6 sub domains. Above we are simply type the command dnsdict6 followed by the domain of afraid.org and then followed by a wordlist name. For these examples I created a wordlist called words so we didn’t have to many lines of output confusing the intention of the article. In the example above I used afraid.org since it was the first domain I found that had IPv6 sub domains enabled but for all of the rest of the examples I will be using louisville.edu.
Use dnsdict6 To Enumerate Both IPv4 & IPv6 Sub Domains:
root@bt:~# dnsdict6 -4 louisville.edu words Starting enumerating louisville.edu. - creating 8 threads for 36 words... Estimated time to completion: 1 to 1 minute dev.louisville.edu. -> 184.108.40.206 vpn.louisville.edu. -> 220.127.116.11 mail.louisville.edu. -> 18.104.22.168 mail.louisville.edu. -> 22.214.171.124 mail.louisville.edu. -> 126.96.36.199 www.louisville.edu. -> 188.8.131.52 security.louisville.edu. -> 184.108.40.206 Found 5 domain names, 7 unique ipv4 and 0 unique ipv6 addresses for louisville.edu.
So the above is very similar in output except notice the -4 switch on the command line actually enables the output of IPv4 addresses as they relate to sub domains in the wordlist being used. Also notice that mail.louisville.edu has three output lines which represent the three different IP addresses associated with this sub domain. This type of output can be beneficial during a pentest to verify that all three IP’s associated to this sub domain all have the same security settings and OS/software patches.
Use dnsdict6 To Display IPv6 NS & MX Domain Info:
root@bt:~# dnsdict6 -d louisville.edu words2 NS of louisville.edu. is pan.ipv6.louisville.edu. => 2610:1e0:1800:af1::1 NS of louisville.edu. is hermes.ipv6.louisville.edu. => 2610:1e0:1800:f1::1 No IPv6 address for MX entries found in DNS for domain louisville.edu. Starting enumerating louisville.edu. - creating 2 threads for 2 words... Estimated time to completion: 1 to 1 minute
The -d switch will provide NS or Name Server as well as MX or Mail Exchange domain information. Notice above how there is not any IPv6 information for any of the MX records that are returned from the domain but there are IPv6 records for the name servers. On a side note I created a second wordlist that only contains one entry so the output would only be NS and MX domain information which is used in the above command as well as the below command.
Use dnsdict6 To Display IPv6 & IPv4 NS & MX Domain Info:
root@bt:~# dnsdict6 -d -4 louisville.edu words2 NS of louisville.edu. is pan.ipv6.louisville.edu. -> 220.127.116.11 NS of louisville.edu. is pan.ipv6.louisville.edu. => 2610:1e0:1800:af1::1 NS of louisville.edu. is midnight.state.ky.us. -> 18.104.22.168 NS of louisville.edu. is hermes.ipv6.louisville.edu. -> 22.214.171.124 NS of louisville.edu. is hermes.ipv6.louisville.edu. => 2610:1e0:1800:f1::1 NS of louisville.edu. is hermes.louisville.edu. -> 126.96.36.199 NS of louisville.edu. is pan.louisville.edu. -> 188.8.131.52 No IPv6 address for NS entries found in DNS for domain louisville.edu. MX of louisville.edu. is incoming2.louisville.edu. -> 184.108.40.206 MX of louisville.edu. is incoming3.louisville.edu. -> 220.127.116.11 MX of louisville.edu. is incoming1.louisville.edu. -> 18.104.22.168 No IPv6 address for MX entries found in DNS for domain louisville.edu. Starting enumerating louisville.edu. - creating 2 threads for 2 words... Estimated time to completion: 1 to 1 minute Found 0 domain names, 0 unique ipv4 and 0 unique ipv6 addresses for louisville.edu.
Above we have combined the -d switch with the -4 switch to provide NS and MX domain information for both Internet Protocol version 6 and Internet Protocol version 4. There are a lot more records for IPv4 as they are probably only preparing for IPv6 at this point.
Specify Number Of Threads With dnsdict6:
root@bt:~# dnsdict6 -d -4 -t 22 louisville.edu words
The above dnsdict6 command is similar to other examples previously displayed however this one adds the -t switch which allows you to tweak the number of threads that dnsdict6 will spin up. The default number of threads is 8 and using the -t switch you could either lower this or raise it accordingly with a max thread count of 32.
Display Default dnsdict6 Wordlist, Count dnsdict6 Wordlist Words:
root@bt:~# dnsdict6 -D root@bt:~# dnsdict6 -D | wc -l 798
Using the -D switch with dnsdict6 will simply output the default wordlist included with dnsdict6. We didn’t actually run the command until the second line where we pipe the output of “dnsdict6 -D” to wc to see that the default dnsdict6 wordlist includes 798 entries. It is always best practice to customize the wordlist you are using to enumerate sub domains to the target you are investigating.
There you have it. Probably more information regarding dnsdict6 than you ever wanted to know but if you had any questions regarding dnsdict6 I hope they are answered.